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Specification  of  Viperl  in  Z. 


Summary 

The  Viperl  microprocessor  has  already  been  specified  mathematically  in  HOL.  HOL,  however, 
is  not  well  known  outside  the  hardware  verification  community.  This  paper  covers  the  specification 
Viperl  in  the  Z  specification  language.  Various  features  of  Viperl  have  been  specified  in  Z  which 
did  not  occur  in  the  top  level  HOL  specification.  It  has  not  been  possable  to  prove  any 
correspondence  between  this  specification  and  the  original  HOL  specification.  The  Work  involved 
in  writing  the  Viperl  specification  has  proved  useful  in  writing  the  initial  Viper2  specification. 


©  Controller,  HMSO  1988 


1  Introduction 


In  safety  critical  systems  the  idea  of  diversity  improving  safety  is  well 
established.  Safety  cridcal  systems  may  employ  a  number  of  processors 
independently  executing  algorithms  which  obey  a  common  high  level  specification. 


The  same  can  be  seen  to  be  true  in  the  specification  and  design  of  safety  critical 
systems.  Just  as  there  may  be  an  error  in  a  specific  microprocessor,  which  could 
cause  one  channel  of  a  system  to  fail  in  service,  there  may  be  an  error  in  a 
specification.  The  chances  of  this  escaping  the  notice  of  the  designers  is  reduced  by 
specifying  the  system  in  more  than  one  way.  This  is  most  effective  when  the  two 
specification  systems  are  basically  different  in  character.  This  means  then  that  by 
ensuring  the  system  conforms  to  both  of  the  specifications  the  chance  of  an  error 
still  being  present  is  greatly  reduced.  Proofs  of  correspondence  may  then  be 
attempted  to  establish  that  the  two  texts  have  the  same  meaning. 


It  was  decided  to  specify  Viperl  in  Z  for  a  number  of  reasons.  Firstly  Z  was 

sufficiently  different  to  the  HOL  specification1  to  give  reasonable  diversity.  Z  is  also 
more  widely  known  in  terms  of  software  specification  than  HOL.  Another  advantage 

of  Z  was  the  fact  that  it  had  been  used  by  J.Bowen2  to  specify  the  M6800 
microprocessor.  A  lot  of  the  groundwork  developed  by  Bowen  in  specifying  a 
microprocessor  instruction  set  has  been  used  in  this  specification.  Finally  at  RSRE 
there  is  a  Z  editor  and  type  checker  available  for  use  on  the  PerqFIex  system. 


This  report  is  the  first  attempt  to  specify  Viperl  in  Z.  It  makes  no  attempt  to 
explain  the  primary  constructs  of  Z,  nor  act  as  a  tutorial  in  Z.  Readers  not  familiar 
with  Z  should  consult  reference  3.  Although  the  specification  has  been  type  checked, 
it  has  neither  been  proved  to  be  equivelent  to  the  HOL  specification,  nor  free  from 
logical  errors.  Any  inconsistencies  or  errors  found  in  this  document  should  be 
reported  back  to  the  Computing  Division  at  RSRE. 


2  Basic  functions 
2.1  Bits  and  Uords 


Initially  the  models  adopted  to  represent  bits  and  words  need  to  be 
defined,  along  with  the  relationships  between  these  models  and  the 
natural  numbers  which  they  represent. 

Bit  e  <0.1} 

Uord  £  <  w:W-wBit  |  «w>0  a  dom  w  *  0  .  .  (a(w)  -  1)  } 


Bits  are  represented  as  the  set  of  elements  with  values  0  or  1. 
Uords  are  represented  as  a  set  of  partial  functions  from  natural 
numbers  to  Bits.  The  natural  numbers  correspond  to  the  position  of  the 
bit  in  the  word,  le  the  result  of  w(n)  (the  word  w  acting  on  the  value 

n)  gives  the  n+1*^  Bit  of  the  word  w. 


L SB. MSB  :  Uord  -  Bit 


W  w  ••  Uord  . 
L5B  w  =  w  0 
MSB  w  m  w  aw-1 


Find  the  most  and  least  sign. f, cant  bits  of  the  word. 


val  :  Uord  —  N 


IB  w  ••  Uord  . 

(aw=l  )  (  val  w  *  LSB  w  ) 

(aw>l  )  — »  (  val  w  «  L5B  m  ♦  Z  •  vaKsuccJwll 

val  returns  the  natural  number  represented  by  the  word- Note  succJu 
gives  the  effect  of  a  Right  shift,  ic  divide  by  two.  on  the  word,  le 
if  succlw  is  applied  to  n  then  first  succ  n  is  calculated,  and  then  w 

of  n+1  is  calculated  ie  the  n+Z*1"1  Bit  is  returned  rather  than  the 
n+l*h  one. 


pred 

:  Nj  -  N 

W  n  : 

N  .  pred  n  »  n  -  1 

Useful  for  left  shifting  (in  a  similar  way  to  the  technique 
descr i bed  above ) . 


(_*et_)  s  (Uord«Bit  )  Uord 


I  B  w  i  Uord!  b  :  Bit  • 

|  w  set  b  •  wj<(0wb  ). ( lwb  » 

The  set  function  returns  a  word  which  has  all  of  its  bits  set  to  the 
specified  value. 


T 


maxval  :  Word  -♦  N 


b  w  :  Word  . 

maxval  w  =  valCw  set  1) 


»■ 

(  3  w  t  Word  •  ((  val  w)  >  maxval  w)  ) 

Returns  the  maximum  value  which  can  be  stored  m  the  word. 


wrd  :  Wj  -•  (  N  -*  Uord  1 


b  size  :  valu  :  N;  w  s  Uord  • 

(wrd  Size  valu  =  w  ) 

U»w  *  Size)  a 

(val  w  =  valu  mod  succ( maxval  w))) 


wrd  returns  the  word  of  size  s > ze  and  set  to  the  value  valu  (unless 
the  word  cannot  hold  that  value),  (note  no  algorithm  is  9iven  for 
calculating  wrd  from  its  arguments,  just  the  relationships  which  must 
hold  between  the  word  returned  and  the  input  arguments). 


:  (  Uord-Uord)  -  Uord 


b  wl.wZ  :  Uord  • 

wl-wZ  »  wl  u  (  pred  *wl  i  wZ  ) 


► 

b  wl,wZ  :  Uord  •  *(wlAw2)  «  »wl  ♦  *wZ 


Concatenate  two  words  together. 


2*3  Logical  factions  on  words 

The  standard  wordwise  logical  functions*  le  finding  the  lo9<csl  AND 
of  two  words- 

I  wnot  :  Word  Word 


9  w  J  Word  • 

wnot  w  =  w  2  not 


Generate  the  inverse  of  the  input  word. 


UordPair  * 

<  w  :  N  (Bit*Bit  )  |  *w>0  a  dom  w  =  0  ..  ((«w)-l)  > 


(_pair_)  :  CWord»Word  )-*WordPair 

9  wl,wZ  :  Word  • 
wl  pair  wZ  * 

<  i  :  N  |  i  €  dom  wl  n  dom  wZ  •  i  (  wl  i  »wZ  i  )  > 

Takes  a  pair  of  words  and  represents  them  as  a  set  of  bit  pairs* 
indexed  by  a  single  natural  number. 


(_and_)»(_or_)*(_exor_)  :  ( Word*Uor d  ) -*Word 


9  wl *wZ  i  Word  • 

wl  and  w2  *  ((wl  pair  wZ  )  2  (_•_>) 

wl  or  w2  s  ((wl  pair  wZ  )  ;  (_♦_)) 

wl  exor  wZ  -  ((wl  pair  wZ  )  2  (_«_)) 

Standard  wordw*se  logical  functions. 


<_«_)  :  (Word«Bit)  -  Word 


9  w  :  Word*  b  :  B ■ t  * 

w  «  b  *  (  <*w>  4  (pred  ;  w)  )  U  <0**b> 


(_»_)  :  (Bit  -  Word )  -  Word 


I  9  w  :  Word;  b  :  Bit  . 

I  b  »  w  *  <((*w)-l)  ••  b>  U  (succ  2  w  ) 

Shift  right  and  left  while  inserting  a  particular  bit  into  the  right 
or  left  most  position. 


2.4  Arithmetic  Functions 


Next  the  mathematical  functions  must  be  defined.  This  includes 
introducing  integers  (le  2’s  complement  notation),  end  standard 
mathematical  operations  and  exceptions  (for  example  add  and  carry). 


value  :  Word  -*  ? 


d  w  :  Word  • 

( (MSB  w  =  1  )  a  value  w  =  val  w  *  succ  (maxval  w  ) )  v 
((MSB  w  =  0)  a  value  w  *  val  w  ) 


Return  the  integer  value  represented  by  the  Uord- This  is  using  the 
2's  complement  notation.  The  most  Significant  bit  has  a  weighting  of 

-2n~*.  So  to  cope  with  negative  numbers  subtract  2n. 


|  maxpos ,maxneg  s 

Uord  -.  2 

y  wi»w2  s 

Uord 

1  awl  <  1  A  aw2  =  ( (awl  )-l  )  • 

maxpos 

wl  * 

maxval  w2 

maxneg 

wl  * 

(  maxval  w2 )  -  (  maxval  wl  ) 

Return  the  maximum  positive  and  negative  numbers  for  a  word  of  a 
particular  size. 


(_signextend_)  :  (Uord»Nj  )  -•  Word 


b  wl,w2  :  Uord;  length  :  | 

(length  *  awl  )A(aw2  *  length)  • 
(wl  signextend  length)  =  (w2  set  (MSB  wl  ) )  a  wl 

Sign  Extend  the  word  to  the  new  word  length. 

I  (_pad_)  :  (Uord*Nj  )  -•  Uord 


d  wl,w2  :  Uord;  length  :  Nj  | 

(length  i  awl  )A(“w2  *  length)  • 
(wl  pad  length)  *  Cw2  set  0  )  a  wl 


Pad  out  a  word  to  the  new  word  length  with  zeros. 


(_• trim_)  :  (Uord*N^  )  -*  Word 


Id  w  :  Uord;  length  :  Nj  |  length  £  aw  • 
w  trim  length  *(0  ..  length)  4  w 

Trim  •  word  down  to  the  new  word  length. 


(_plus_)  :  (Uord*Uord)  -»  Uord 


d  wl  ,w2,w3  :  Word  I  (Mwl)  *  ((Mw2Hl)  A  (Mw2)  *(Mw3)  . 

((w2  plus  w3 )  -  (wl  trim  mm2  ) ) 

(value  wl  )»(value  w2)+(value  m3) 


Primitive  addition.  All  that  is  checked  for  is  that  the  input  words 
are  of  the  same  size*  and  that  the  output  word  is  one  bit  larger*  so 
that  carry  can  be  detected.  Uord  addition  is  defined  in  terms  of 
integer  addition*  ic  addition  per  se  is  not  defined. 


(_m*nus„)  :  (Uord*Uord)  —  Word 


d  wl ,w2,w3  :  Uord  I  (*wl  )  =  ( (Mm2  )*1  )  A  («w2  )  =  (Mw3  '  • 

((m2  minus  m3)  *  (wl  trim  Mm2)) 

♦»  (value  wl)=(value  w2)~(value  m3) 


Subtraction  is  defined  similar tly  to  addition,  note  no  checks  for 
overflow  etc. 


(_carry_)  :  (Uord«Uord) 


d  wl. m2  •  Uord  I  Mwl  *  mm2  • 

(wl  carry  m2  *  1  )  **  ((val  wl  )  ♦  (val  w2  )  >  maxvai  wl  ) 


Top  level  specif icat ion  of  carry,  ie  a  carry  is  generated  when  the 
addition  result  is  larger  than  the  maximum  possible  value  which  can  be 
stored. 


(_borrow_)  •  (Uord*Uord)  -•  Bit 


d  wl, m2  :  Uord  I  Mwl  -  Mm2  • 

(wl  borrow  m2  *  1  )  (  (val  wl  )  <  (val  m2 )  ) 


Top  level  spec  of  Borrow. 


(_overflow_)  :  (Uord*Uord)  -•  Bit 


d  wl r w2  :  Uord  |  Mwl  *  Mm2  • 

(wl  overflow  w2  *  1  )  a* 

(  (  (value  wl  )  ♦  (value  m2)  >  maxpos  wl  )  v 
(  (value  wl )  +  (value  m2)  <  maxneg  m2  )  ) 


Top  level  spec  of  overflow,  ie  overflow  when  the  sum  is  greater  than 
the  largest  positive  value  which  can  be  held,  or  less  than  the  largest 
negat i ve  number . 


(_underf  low_)  :  (Nord»Uord)  — »  Bit 


b  wl  »w 2  :  Uord  |  *wl  *  *w2  • 

(wl  underflow  w2  s  1 )  *♦ 

(  (  (value  wl  )  -  (value  w2 )  >  maxpos  wl  )  v 
(  (value  wl  )  -  (value  w2 )  <  maxneg  w 2  )  > 


Top  level  spec  of  overflow  on  subtraction 


(_equal_)  :  (Uord'Uord)  -•  Bit 


Ib  wl * w2  :  Uord  1  *wl  =  *w2  • 

(wl  equal  w2  =  1  )  (value  wl  »  value  w2  ) 

Set  to  1  if  the  two  words  have  the  same  value  (and  0  otherwise)* 
note  they  are  not  necessarily  the  same  size  of  word. 

I  (_less_)  :  (Uord«Uord)  -*  Bit 


Ib  wl#w2  :  Uord  |  *wl  *  *w2  • 

(wl  less  w2  =  1  )  ••  (  value  wl  <  value  w2 ) 

Set  to  1  if  the  first  word  is  less  than  the  second  (and  0 
otherwise)*  note  they  are  not  necessarily  the  same  size  of  word. 


This  completes  the  underlying  theory  of  representing  natural  numbe' 
arithmetic  by  operations  on  vectors  of  bits- 


3  Viper  Specifics 
3-1  Uord  Lengths 

These  are  the  specific  uord  sizes  used  in  the  Viperl  processor. 


Uorc*32 

A 

< 

w  : 

:  Uord  | 

|  «w 

= 

32 

> 

— 

for 

Data  words 

Uord20 

* 

< 

w  : 

:  Uord  | 

|  Had 

- 

20 

> 

— 

For 

Address  words 

Word^ 

& 

< 

w  : 

:  Uord  1 

1  «W 

t 

> 

— 

For 

the  f unct i on 

select 

Uordg 

C 

< 

w  : 

:  Uord  | 

|  Km 

= 

3 

> 

— 

f  or 

the  dest  mat  ■ 

on  select 

Uor  d^ 

£ 

< 

w  : 

:  Uord  i 

|  «M 

= 

2 

> 

— 

for 

the  re9«ster 

and  memory 

select 

Uordj 

£ 

< 

M 

:  Uord  ] 

|  ttw 

= 

1 

> 

for  the  comparison  select 
and  flags 


Address  s  Uord^g 
Data  e  Uordgg 
flag  t  Uordj 


3.2  Memory 


The  definition  of  the  Memory  and  Peripheral  spaces#  and  the 
behaviour  of  these  two  regions- 


Memory 


Mem  : 

Address 

-•  Data 

RAMspace 

Address 

—  Data 

PERI space  : 

Address 

-♦  Data 

10  : 

Bit 

( i  o  =  0  )  — . 

(new  * 

?AI1space  ) 

(  10  =  1  )  — 

(Hem  = 

PERI  space ) 

Two  regions  of  non  overlapping  address  space  RAM  and  PERIphe.'dl-  The 
two  types  of  memory  totally  cover  the  memory  space. 

r&Memocy  t 

Memory 
Memory ’ 

6Mem  :  Address  Data 


(10  =  0)  (Mew*  e  Mem  •  6Mem  ) 


If  the  location  is  in  PAM  then  the  address  is  updated#  however  with 
PERlpheral  space  the  values  can  change  without  any  modification  from 
the  processor.  No  mention  of  the  behaviour  of  the  PERIpheral  space  is 
given,  because  there  is  no  way  to  model  in  general  these  very  specific 
devices.  The  spec i fiction  of  the  behaviour  of  these  devices  is  left  to 
the  system  specification. 


HMemo  ry t 

AMe~o ry 

6Mem  =  to 


No  change  in  memory. 


3.3  Register* 


The  specification  of  the  Yiperl  registers. 
Reg  i  ster  s 
A  :  Uordgj 
X  :  Wordg2 
Y  :  Uord32 
P  :  Uord^Q 
B  :  Uordj 


The  five  visible  registers  of  the  Viper.  A  an  accumulator ,  X  and 
index  registers  P  the  program  counter  and  B  the  boolean  flag. 


rflReg  >  st  er  s  ___ 
Registers 
Registers' 
neup  :  Address 


Note.  P'  is  always  updated  (unless  machine  has  stopped). 


ERegisters 


flRegisters 


A’  =  A 
X'  =  X 
Y'  *  Y 


B'  =  B 


le  no  change. 


3.4  Clock 


The  existance  of  a  clock  was  not  represented  in  any  manner  in  the 
HOL  specification  of  Viperl.  but  it  is  included  here  es  a  matter  of 
completeness. 


E  Clock 

Clk  : 


N 


j 


Clock  simply  counts  up  from  0. 


rflClock  __ 

Clock 
Clock' 
Cycles  :  N 


Clk'  =  Clk  ♦  Cycles 


Cycles  is  the  number  of  cycles  needed  to  complete  the  present 
instruction.  It  is  intended  to  include  information  about  how  many 
cycles  each  instruction  takes  to  complete  in  the  schemas  of  the 
individual  instructions. 


3.5  Stop 

The  definition  of  the  stop  flea  end  the  way  the  processor  behaves 
when  stopped  end  in  the  normal  mode  of  operetion. 


EStop  . 

stop 


stop  *  Bit 


Sinale  Bit  top  determine  whether  the  mechine  is  stopped  or  not. 


iStop 


[  ^Registers 

Stop 

Stop' 

sval 

:  Bit 

reset 

!  Bit 

stop 

=  0 

reset 

=  0 

stop' 

«  sval 

neup 

■  P  plus  (wrd  ZB  1 ) 

Set  the  new  velue  of  the  program  counter  end  the  stop  b't  for  the 
next  state-  The  machine  is  not  stopped.  The  parameter  reset  is  the 
reset  line  to  the  processor.  It  is  treated  as  a  synchronous  reset.  ie 
It  IS  only  noticed  at  the  start  of  an  instruct  ion. 

Stopped  L 

HMemory 

cRegisters 

Stop 

Stop' 

AC lock 
reset  :  Bit 


stop  >  1 
reset  »  0 
P'  «  P 


The  machine  has  stopped,  and  cannot  restart  until  there  is  a  Reset. 


3.6  Viper  State 


UiperOpCode  _ 

op 

:  Word 

rsf 

:  Word 

msf 

s  Word 

dsf 

:  Uord 

csf 

t  Uord 

fsf 

:  Word 

addr 

:  Uord 

op  »  rsf  *  msf  *  dsf  *  csf  *  fsf  '  addr 


The  Viperl  Op  code-Tne  Op  code  is  loaded  in  from  the  location 
pointed  to  by  the  Program  counter  (P).  The  Op  code  constists  of  six 
fields.  These  are. 

(1)  The  Register  Select  Field  -  This  selects  which  of  the  four 
registers  are  going  to  be  used  as  inputs  to  the  ALU. 

(2)  The  Memory  Select  Field  -  This  selects  the  addressing  mode 
for  the  operation. 

(3)  Destination  Select  Field  -  This  selects  the  destination 
register  for  the  result,  and  also  whether  the  result  is  a  Jump  or  a 
Call- 


(4)  Comparison  Select  Field  -  This  selects  whether  the  operation 
is  a  comparison  (setting  the  B  flag)  or  an  arithmetic  or  logical 
function,  returning  a  result.  It  is  also  used  to  distinguish  between 
Jump  and  Call  instructions. 

(5)  The  Function  Select  Field  -  This  determins  the  ALU  operation 
for  Comparisons  or  Arithmetic  and  Logical  functions- 

(6)  The  Address  Field  -  The  address  used  to  pull  in  the  second 
operand  from  memory,  or  used  as  Jump  address  etc. 


Ar i thmet icAndLogi calUn i t 
result  :  tlordgj 
offs  :  llordgg 
r.m  :  Uordg^ 


The  inputs  and  outputs  to/from  the  ALU.  r  holds  ihe  value  from  the 
register,  specified  in  the  register  select  field  of  the  Op  code,  which 
is  the  first  operand  to  the  ALU.  The  parameter  offs  is  the  address  of 
the  memory  input  to  the  ALU  (or  the  actual  input  if  the  operation  is 
in  immediate  addressing  mode).  The  perameter  m  is  the  actual  value 
passed  as  the  second  operand  to  the  ALU. Finally  result  is  the  output 
from  the  ALU. 


flUiper  _ 

flflemo  ry 
^Registers 
OClock 
fiStop 

Viper OpCode 

Ar i thmet icAndLog icalUn i t 
bval  i  B<t 


op  1  Hem  (P ) 


The  Viper  State-  For  the  machine  to  change  to  a  new  state  then  the 
machine  must  not  be  stopped. 

HU i per  L 

&U i per 
HHemo ry 
HRegisters 
fiStop 


Viper  state  unchanged  (  exept  P  updated) 

^UiperlNIT _ _ 

flU i per 

Clk'  =  0 
stop’  *  0 
val  (P1  )  =  0 

val  (A’  )  «  0 

val  (X1  )  *  0 

val  <Y’  )  «  0 

val  (B‘  )  *  0 


4  Viper  Operations 
4.1  ALU  inputs 

In  this  section  the  various  inputs  to  the  Viperl  ALU  are  specified. 


flu i per 

(val  rsf 

*  0) 

— • 

(r 

=  A) 

(val  rsf 

*  1) 

(r 

=  X) 

(val  rsf 

=  2) 

«■* 

(r 

=  Y) 

(val  rsf 

=  3) 

- 

(r 

«  P  pad  32 ) 

Select  the  re9ister  to  be  the  r  input  to  the  ALU. 
—  Offset 

|  flU i per 


(val  msf  =  0  )  — *  (offs  *  addr  pad  32) 

(vsl  msf  *  1  )  — »  (offs  *  addr  pad  32) 

(val  msf  «  Z )  (offs  *  (addr  pad  32)  plus  X) 

(val  msf  «  3)  -*  (offs  *  (addr  pad  32)  plus  Y) 


Determine  the  address  of  second  word  to  be  input  to  the  ALU. 


— ReadFromRAM 
I  Offset 


'((val  dsf  =  7)  y  (val  dsf  *  6)) 
(val  fsf  •  Z)  v  (val  csf  =  1) 
io  *  0 


Read  in  input  to  ALU  from  RAH.  There  is  no  read  when  a  write  is 
specified  tie  if  the  dsf  is  6  or  7).  there  is  also  no  read  from  RAM 
when  there  is  an  input  from  PERI  space  (le  if  the  fsf  is  two  and  the 
csf  'S  jero),  finally  the  address  of  the  location  to  be  read  from  must 
be  in  the  RAH  space. 

— ReadFromPERI  f 
I  Offset 


'((val  dsf  «  7)  y  (val  dsf  *  6)) 
val  csf  *  0 
val  fsf  ■  2 
io  *  1 


Read  in  an  input  from  the  PERIpheral  apace. 
Input  A  ReadFromRAfl  «  ReadFromPERI 

Ni  lflemoryRead  ... 

1  Offset 


val  fsf  =  12 
val  csf  =  0 

■>((val  dsf  »  61  v  (val  dsf  *  7)) 


This  is  the  case  where  there  is  to  be  no  word  read  in  from  memory, 
le  when  the  ALU  function  is  a  shift  operation. 


HemoryRead 
I  Offset 


(val  msf  *  0  )A(m  *  offs)  v 

(val  msf  *  0  )a(i*  *  hem  (  offs  trim  20  )) 


This  is  the  case  where  the  memory  read  is  to  go  ahead  if  msf  is  0 
then  it  IS  immediate  addressing,  otherwise  get  the  value  from  the 
location  pointed  to  by  offs. 


MemRead  a  (Ni  lflemoryRead  v  '  Ni  IMemoryRead  *  flemoryRead)  a  Input 


MemRead 


s  either  a  nil  memory  read  or  a  memory  read. 


4.3  Illegal  Operations 


Illegal  operations#  which  will  cause  an  error, 
invalid  i  Uord  —  Bit 

d  w  :  Uord  • 

(invalid  w  »  1)  ••  (val  w  >  maxval  (wrd  20  0 ) ) 

Function  set  true  if  the  word  cannot  be  held  in  a  20  bit  word. 

SpareFunct  ion 
I  AV i per 


val  csf  *  0 

'(  (val  dsf  =  6!  v  (val  dsf  *  ?)  ) 

(val  fsf  *  13)  v  (val  fsf  *  H)  v  (val  fsf  *15) 


The  Op  code  is  accessing  one  of  the  three  spare  functions  of  the 
Vipers  ALU. 

—  IllegalCall  _ 

I  AV i per 


val  csf  *  0 
val  fsf  *  1 

(val  dsf  *  0  )  y  (val  dsf  *1)  v  (val  dsf  «  2) 


The  ALU  operation  is  a  Call,  but  the  destination  for  the  rei.ult  is 
set  to  A.  X  or  Y. 


IllegalPDest  mat  ion 
I  AU  i  per 


val  csf  *=  0 

(val  dsf  «  3)  y  (val  dsf  =  4)  v  (val  dsf  =  5) 

■"((val  fsf  *  1  )y(val  fsf  «  3)y(val  fsf  »  5)y(val  fsf  =  7)) 


The  destination  for  the  result  from  the  ALU  is  the  Program  counter. 
However  the  ALU  function  is  an  illegal  way  of  generating  the  new 
Program  Counter  value. 


_ IllegalUr i te 
I  Urite 


val  insf  -  0 


The  operation  is  a  write,  but  immediate  addressing  has  been 
spec i f i ed . 


Illegal Address 
I  Offset 


(val  csf  «  1  Mval  fsf  a  12)v(val  dsf  •  6  Mval  dsf  *  ?) 
inval id  offs 


A  memory  location  needs  to  be  read-  but  the  location  to  read  from  is 
not  a  valid  address- 


—  IllegalPlncrement 
AU i per 

inval id  newp 

The  Program  Counter  is  to  be  incremented  past  the  end  of  the  address 
space - 


r Error  . 

flStop 
HU i per 


sval  *  1 
P’  *  newp 


Machine  must  stop  with  all  registers  are  as  they  were  previously- 


Errors  •  ((IllegalAddress  v  IllegalCall  v  IllegalUrite 
v  IllegalPIncrement  v  SpareFunct i on 
v  IllegalPOest  mat  ion  ) 

A  Error  ) 


4.4  Comparison  Functions 


r  CompareFrame  , 
Reg  t  ster Select 
CtemRead 


P‘  *  newp 
A'  *  A 
X'  -  X 

v  *  y 

Aflem  *  {> 
val  csf  *  1 


This  is  the  framing  schema  for  comparison  operations.  All  registers 
are  unchanged  except  for  the  Program  counter.  B'  is  set  in  the  various 
comparisons  below. 


LessThan  __ 
I  CompareFrame 


val  fsf  »  0 

val  B'  *  tr  less  ml 


Greater ThanOrEqualTo  _^_1 
I  CompareFrame 


val  fsf  *  1 

val  B'  «  not  (r  less  ml 


EqualTo 

CompareFrame 

val  fsf  »  2 

val  B'  *  (r  equal  ml 


NotEqualTo  _ 
I  CompareFrame 


val  fsf  *  3 

val  B’  •  not  (r  equal  ml 


LessTh«nOrEqu»lTo 
Compar *Fram« 


I 


val  fsf  *  4 

val  S'  ■  (r  less  m)  ♦  (r  equal  a) 

■ 

Greater  Than  — 

CompareFrame 

val  fsf  =  5 

val  8'  »  not ( ( r  less  a)  ♦  (r  equal  m)) 

Uns i gnedLessThan  _ _ 

Compar eFrame 

val  fsf  >  6 

val  B*  *  (r  borrow  a) 

Uns i gnedGr eater ThanOr Equal To  ^ 
CompareFrame 

val  fsf  «  7 

val  B'  «  nottr  borrow  m) 

* 

LessThanOrB 

CompareFrame 


EqualToOrB 

CompareFrame 

val  fsf  *  10 

val  8'  «  (r  equal  m)  *  val  B 


^NotEquslToOrS  ____________ 

CompareFraae 

val  fsf  *  11 

val  0'  »  nottr  equal  m )  ♦  val  B 


LessThan Or Equal ToOrB 
I  CompareFrame 


val  fsf  ■=  12 

val  B'  =  Ur  less  m)  *  (r  equal  a))  ♦  val  B 


Greater Than Or B 
I  CompareFrame 


val  fsf  =  13 

val  B'  =not(  (r  less  a)  ♦  <r  equal  a)  +  val  B) 


Uns  i gnedLessThanOrB 
(  CompareFrame 


val  fsf  *  If 

val  B'  *  (r  borrow  a)  ♦  val  B 


Uns  i  gnedGr  eat  erThanOr  Equal  ToOrB  ___ 
I  CompareFrame 


val  fsf  =  15 

val  B'  -  not  (r  borrow  a)  *  val  B 


Compare  *  UnsignedGreaterThanOrEqualToOrB  v  LessThanOrB 

v  Uns 1 9nedlessThan0r B  v  GreaterThanOrEqualToOrB 
v  GreaterThanOrB  v  EqualToOrB  y  Uns i 9nedLessThan 
y  LessThanOrEqualToOrB  v  NotEqualToDrB  y  Greater  Than 
y  Unsi 9nedGreaterThan0rEqualTo  y  LessThanOrEqualTo 
V  NotEqutlTo  y  EqualTo  y  GreaterThanOrEqualTo 
y  LessThan 


Compare  is  the  disjunction  of  all  of  the  basic  comparison  schemas. 


This  is  the  framing  schema  for  all  of  the  ALU  operations.  Note 
memory  cannot  be  changed  and  it  is  not  a  comparison.  Pwrite  is  1  if 
the  destination  of  the  result  is  the  Program  counter. 

Negate  _ 

I  ALUframe 


val  fsf  =  0 
result  =  wnot  m 
8'  =  8 
sval  =  0 

■ 

Invert  the  input  word- 

Call  ___________ ________ 

ALUf  r  erne 

val  fsf  *  1 
result  =  m 
P*  =  m 
A'  *  A 
X1  =  X 
Y*  «  neup 
B’  =  B 

sval  *  not(Pwrite)  ♦  (invalid  m) 


Call  a  subroutine.  Set  Program  counter  to  m,  and  leave  the  return 
address  in  the  V  register.  Stop  if  there  is  a  call  to  an  illegal 
address  or  there  is  not  a  legal  P  destination. 

InputFromPERI  __ 

I  ALUframe 


val  fsf  *  Z 
result  *  m 
B'  =  B 
sval  =  0 


Input  a  value  from  the  PERIpheral  space.  Note  io  has  already  been 
set  to  1  in  section  4.1  (ReadFromPERI ) . 


ReadFromflemory 
I  ALUframe 


val  fsf  =  3 
result  =  m 
B*  =  0 

sval=Pwrite  •  (invalid  m) 


Return  the  value  in  memory/  and  stop  if  the  location  is  not 
memory  space- 


ReadOp  S  ( InputFromPERI  v  ReadFromflemory  ) 

The  two  read  operations/  le  the  ALU  is  transparent- 

Uns i 9nedAdd  t 

[  ALUframe 


val  fsf  *  4 
result  =  r  plus  m 
val  B'  =  r  carry  m 
sval  *  0 


Add  r  to  m»  setting  B  if  there  is  a  Carry. 

AddStopOnOverf  low  ^ 

I  ALUframe 


val  fsf  *  5 
result  *  r  plus  m 

B’  -  B 

sval  =  (r  overflow  m)  ♦  ( inval idtresult  )  •  Pwrite) 


Add  r  to  m»  stopping  if  there  is  an  overflow/  and  setting  B  if  ther 
is  a  Carry. 

UnsignedSubtract  .  _ 

I  ALUframe 


val  fsf  *  6 
result  *  r  minus  m 
val  B'  *  r  borrow  m 
sval  «  0 


Subtract  m  from  r.  and  setting  B  if  there  is  a  Borrow. 


SubtractStopOnOverf low  _ 

ALUframe 

val  fsf  =  7 
result  *=  r  minus  m 
B’  =  B 

sval  »  (r  underflow  m)  ♦  ( inval  idCresult  )  •  Pwnte) 

l 

-  -  -  i 

Subtract  m  from  r,  stopping  on  overflow  and  setting  B  if  there  is  a 
Borrow. 


ArithmeticOp  •  (  UnsignedAdd  v  AddStopOnOverf low 

v  Uns i gnedSubtract  v  SubtractStopOnOver f low  ) 

The  four  arithmetic  operations. 


Returns  the  Exclusive  Dr  of  the  two  input  words. 


Returns  the  Logical  and  of  the  two  inputs. 


Returns  the  inverted  or  of  the  two  inputs. 


AndNot  _ 

|  ALUframe 


val  fsf  =  11 

result  =  r  and  wnot  Cm) 

B'  -  B 

sval  =  0 


Returns  the  logical  and  of  the  input  register  and  the  inverted 
memory  input. 


LogicalOp  a  (  Negate  v  AndNot  v  Nor  v  And  v  ExclusiveOr  ) 
The  five  logical  operators. 


Ar ithmet icShiftRight  ^ 
I  ALUframe 


val  fsf  =  12 
val  msf  *  0 
result  *  P1SB  r  »  r 
B‘  -  8 
sval  *=  0 


Arithmetic  Shift  Right,  shifting  in  the  USB  ( ■ e  sign)  bit. 

LogicalShiftRight  __ m 
I  ALUframe 


val  fsf  *  12 
val  msf  «  1 
result  «  val  B  »  r 
val  B'  «  LSB  r 
sval  «  0 


Logical  Shift  Right  through  the  Boolean  Flag  B. 

Ar  ithmet  icShiftLeft 
I  ALUframe 


val  fsf  «  12 
val  msf  »  2 
result  »  r  plus  r 

B’  •  B 

sval  «  (r  overflow  r ) 


Arithmetic  Shift  Left.  Stopping  the  processor  on  overflow. 


Log i calSh if tLeft 
ALUframe 


val  fsf  *  12 
val  msf  =  3 
result  =  r  «  val  B 
val  B'  =  MSB  r 
sval  1  0 


Logical  Shift  Left  through  the  Boolean  Flag  B. 


ShiftOp  a  ( Ar i thmet icSh i ftR i ght  v  Logi calSh i f tR i ght 
v  Ar i thmet icSh i ftLeft  v  Log i calSh i f tLeft  ) 

The  four  shift  operations. 


UnusedFunct  ions  _ 

ALUframe 

(val  fsf  =  13)  w  (val  fsf  =  14  )  w  (val  fsf  =  IS) 
result  *  r 
B'  =  B 
sval  =  1 


The  function  called  is  one  of  the  three  unused  functions  in 
Viper  ALU.  This  Hill  cause  the  Viper  to  stop. 


ALU  a  (  ReadOp  v  Ar i thmet icOp 

v  LogicalOp  v  ShiftOp  v  UnusedFunct ions  ) 


The  result  from  the  ALU.  is  one  of  the  above  functional  groups- 


—  ResultToA 
I  ALUframe 


val  dsf  »  0 
A'  «  result 
X’  «  X 
r  -  Y 
P’  «  neup 


the 


Store  the  result  from  the  ALU  in  the  A  register. 


ResultToX 
ALUf r  ame 


val  dsf  «  1 
A’  =  A 
X'  =  result 
Y'  =  Y 
P‘  =  newp 


Store  the  result  from  the  ALU  in  the  X  re9ister. 
ResultToY 
I  ALUf  r  ame 


val  dsf  =  Z 
A'  =  A 
X1  =  X 
Y'  =  result 
P‘  =  newp 


Store  the  result  from  the  ALU  m  the  Y  register. 
Jump  .  , 

I  ALUf  r  ame 


val  fsf  *  1 
A’  =  A 
X’  =  X 
Y’  =  Y 
P‘  =  result 


Branch  instruction  (as  opposed  to  a  call)  simply  set  the  program 
counter  to  be  equal  to  the  result  from  the  ALU. 


Condit ions 
I  flLU 


(  val  dsf  «  3  )  v 
(  (val  dsf  ■  1 )  n  (val  B  *  1  )  )  v 
(  (val  dsf  *  5)  a  (val  8  ■  0  >  ) 


The  values  of  dsf  for  the  various  conditional  jumps  and  calls.  For 
the  unconditional  call  dsf  is  3/  call  on  B  set  dsf  is  t  and  call  on  B 
■  0  is  dsf  equal  to  5. 


Destination  a  (  ResultToA  v  ResultToX  v  ResultToY  y 
(Jump  a  Conditions)) 


ALUOp  a  (ALU  a  Destination)  y  (Call  a  Conditions) 


4.6  Next  Viper  Stete 


OKState  *  ■"  (Errors)  a  (Demur  ite  v  NoOp  y  Compare  v  ALUOp  y  Reset) 


NextState  »  (Errors  v  OKState  v  Stopped  y  Reset  ) 

The  next  state  is  one  of  four  cases,  it  is  either  stopped  or  an 
error  in  uhich  case  the  next  state  util  be  stopped,  or  it  Mill  be  a 
reset  and  the  next  state  Mill  be  the  initial  state,  or  it  Mill 
continue  to  Mork  normally. 


S  Conclusions 


The  document  9ives  an  initial  specification  of  Viperl  in  Z.  It  has 
demonstrated  that  Z  can  sive  a  higher  level  specification  than  the  HOL 
specif  i cat  ion.  H  has  also  been  shoun  to  be  a  useful  language  to 
specify  a  microprocessor  in. 


Although  this  specification  has  been  uritten  some  time  after  the 
HOL  specification.  it  urns  still  a  uorthuhile  exercise-  This 
specification  can  be  checked  against  the  HOL  version.  The  experience 
gained  has  also  been  useful  in  specifying  Viper?. 
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